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1.Which two statements about metadata variables are true? (Choose two.) 

A. You create them on FortiGate 

B. They apply only to non-firewall objects. 

C. The metadata format is $<metadata_variabie_name>. 

D. They can be used as variables in scripts 

Answer: BD 

Explanation: 

Metadata variables are custom fields that you can create on FortiManager to store additional information 
about objects or devices. They can be used as variables in Jinja2 CLI templates or scripts to apply 
configurations to multiple devices or objects. They do not apply only to non-firewall objects, but also to 
firewall objects such as addresses, services, policies, etc. The metadata format is not 
$<metadata_variable_name>, but @<metadata_variable_name>@. 

Reference: = Using meta field variables, Metadata Variables are supported in Firewall Objects 
configuration, Technical Tip: New Meta Variables and their usage including Jinja Templates, Technical Tip: 
Firewall objects use as metadata variable 


2.Refer to the exhibit, which contains a partial BGP combination. 


You want to configure a loopback as the OGP source. 

Which two parameters must you set in the BGP configuration? (Choose two) 

A. ebgp-enforce-multihop 

B. recursive-next-hop 

C. ibgp-enfoce-multihop 

D. update-source 

Answer: A, D 

Explanation: 

To configure a loopback as the BGP source, you need to set the “ebgp-enforce-multihop” and 
“update-source” parameters in the BGP configuration. The “ebgp-enforce-multihop” allows EBGP 
connections to neighbor routers that are not directly connected, while “update-source” specifies the IP 
address that should be used for the BGP session1. 

Reference: = BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP Multihop 
Load-Balancing, Technical Tip: BGP routes are not installed in routing table with loopback as update 
source 


3.Exhibit. 
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Refer to the exhibit, which shows a partial web filter profile conjuration 

What can you cone udo from this configuration about access to www.facebook, com, which is categorized 
as Social Networking? 

A. The access is blocked based on the Content Filter configuration 

B. The access is allowed based on the FortiGuard Category Based Filter configuration 

C. The access is blocked based on the URL Filter configuration 

D. The access is hocked if the local or the public FortiGuard server does not reply 

Answer: C 

Explanation: 

The access to www.facebook.com is blocked based on the URL Filter configuration. In the exhibit, it 
shows that the URL “www.facebook.com” is specifically set to “Block” under the URL Filter section‘. 
Reference: = Fortigate: How to configure Web Filter function on Fortigate, Web filter | 

FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL filtering ... - Fortinet ... - 
Fortinet Community 


4.An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the 
administrator notices that some of the switches in the network continue to send traffic to the former 
primary device. 

What can the administrator do to fix this problem? 

A. Verity Mai the speed and duplex settings match between me FortiGate interfaces and the connected 
switch ports 

B. Configure set link -failed signal enable under-config system ha on both Cluster members 

C. Configure remote link monitoring to detect an issue in the forwarding path 

D. Configure set send-garp-on-failover enables under config system ha on both cluster members 
Answer: B 
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Explanation: 

Virtual MAC Address and Failover 

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now 
reachable through a different switch port. 

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force 
former primary to shut down all its interfaces for one second when the failover happens (excluding 
heartbeat and reserved management interfaces): 

#Config system ha 

set link-failed-signal enable 

end 

- This simulates a link failure that clears the related entries from MAC table of the switches. 


5.Exhibit. 


NGFW-1 # get router info ospf interface 
port3 is up, line protocol is up 
Internet Address 10.1.0.254/24, Area 0.0.0.0, MTU 1589 
Process ID @, VRF @, Router ID 0.0.0.1, Network Type BROADCAST, Cost: 1 


e 
Transmit Delay ís 1 sec, State DROther, Priority 1 
Designated Router (ID) 0.0.0.3, Interface Address 190.1.9.1 
Backup Designated Router (ID) 8.8.8.2 Interface Address 18.1.8.108 


Timer intervals configured, Hello 10.800, Dead 46, Wait 48, Retransmit 5 
Hello > in 60:86:08 

Neighbor Count is 2, Adjacent neighbor count is 2 

Crypt Sequence Number is 21 

Hello received 412 sent 287, DO received £ 

LS-Req received 2 sent 3, LS-Upd received 13 


LS-Ack received 9 sent 7, Discarded 6 


Refer to the exhibit, which shows information about an OSPF interlace 

What two conclusions can you draw from this command output? (Choose two.) 

A. The port3 network has more man one OSPF router 

B. The OSPF routers are in the area ID of 0.0.0.1. 

C. The interfaces of the OSPF routers match the MTU value that is configured as 1500. 
D. NGFW-1 is the designated router 

Answer: A, D 


6.In which two ways does fortiManager function when it is deployed as a local FDS? (Choose two) 

A. It can be configured as an update server a rating server or both 

B. It provides VM license validation services 

C. It supports rating requests from non-FortiGate devices. 

D. It caches available firmware updates for unmanaged devices 

Answer: A, D 

Explanation: 

The command output shows that the Neighbor Count is 2, indicating that there are more than one OSPF 
routers on the port3 network (Option A). NGFW-1 is also identified as the Designated Router (Option D). 
Reference: = OSPF | FortiGate / FortiOS 7.2.2 - Fortinet Documentation, OSPF configuration guide for 
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7.Refer to the exhibit. 


which contains a partial configuration of the global system. 

What can you conclude from this output? 

A. NPs and CPs are enabled 

B. Only CPs arc disabled 

C. Only NPs are disabled 

D. NPs and CPs arc disabled 

Answer: A 

Explanation: 

The configuration does not show any explicit disabling of NPs (Network Processors) or CPs (Content 
Processors). In Fortinet Enterprise Firewall, unless explicitly disabled, these processors are enabled by 
default to handle specific types of traffic efficiently12. Reference: = Hardware acceleration | FortiGate / 
FortiOS 7.2.2 - Fortinet Documentation, NSE 7 Network Security Architect - Fortinet 


8.Refer to the exhibit, which shows a routing table. 
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What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose 
two.) 

A. Remove the 16.1.10.C prefix from the OSPF network 

B. Configure a distribute-list-out 

C. Configure a route-map out 

D. Disable Redistribute Connected 

Answer: B, C 

Explanation: 

To block the advertisement of the 10.1.10.0 prefix in OSPF, you can configure a distribute-list-out or a 
route-map out. A distribute-list-out is used to filter outgoing routing updates from being advertised to 
OSPF neighbors1. A route-map out can also be used for filtering and is applied to outbound routing 
updates2. 

Reference: = Technical Tip: Inbound route filtering in OSPF usi ... - Fortinet Community, OSPF | FortiGate 
/ FortiOS 7.2.2 - Fortinet Documentation 


